[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slapd issue

To: Philip Bellino <pbellino@mrv.com>
Subject: Re: Slapd issue
From: Howard Chu <hyc@symas.com>
Date: Thu, 01 Feb 2007 13:17:25 -0800
Cc: openldap-software@openldap.org
In-reply-to: <4D8794260B62C940BBA7150CC5EB3BD496BC25@bosmail.BOS.int.mrv.com>
References: <4D8794260B62C940BBA7150CC5EB3BD496BC25@bosmail.BOS.int.mrv.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a2pre) Gecko/20070128 Netscape/7.2 (ax) Firefox/1.5 SeaMonkey/1.5a

Philip Bellino wrote:

Hello, I am running slapd(openldap-2.3.32) on a linux host. I am also running openldap-2-32-3 on a linux client. If I use the "allow_bind_v2" switch in the slapd.conf file, I can do anonymous simple binds from the client to the server over TCP with no problems. I can also do simple login/password authentication with no problems.

Anonymous Simple Binds are allowed regardless of the "allow_bind_v2" option. As its name implies, that option only controls whether to accept Binds that specify LDAPv2. That option defaults to off and generally should stay off. LDAPv3 has been around for 10 years already and LDAPv2 was officially retired 4 years ago; there's no good reason for anybody to still be using it now.

I now an trying to use v3 secure connections. When I attempt to authenticate, I get the following errors from the slapd logs (in bold):
TLS trace: SSL_accept:SSLv3 flush data
*tls_read: want=5 error=Resource temporarily unavailable*
*TLS trace: SSL_accept:error in SSLv3 read client certificate A*
*TLS trace: SSL_accept:error in SSLv3 read client certificate A*

This error was ignored by slapd, otherwise the log would have shown the connection being closed here. This behavior is normal, since you didn't require client certificate verification.

daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: epoll: listen=9 active_threads=0 tvp=NULL daemon: epoll: listen=10 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 14r daemon: read active on 14 connection_get(14) connection_get(14): got connid=0 connection_read(14): checking for input on id=0 tls_read: want=5, got=5 0000: 15 03 01 00 02 ..... tls_read: want=2, got=2 0000: 02 30 .0 *TLS trace: SSL3 alert read:fatal:unknown CA* *TLS trace: SSL_accept:failed in SSLv3 read client certificate A* *TLS: can't accept.* *TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1057* *connection_read(14): TLS accept failure error=-1 id=0, closing* connection_closing: readying conn=0 sd=14 for close connection_close: conn=0 sd=14

This shows that the client sent an "unknown CA" message to the server and that the client considered it a fatal error, and closed the connection.

It loks to me as is slapd is trying to read the client certificate even though my slapd.conf file entry "*TLSVerifyClient never*" is set. I am new to this all, so I do not know if I am interpreting this correctly or not.

That is not the important part of the trace.

Any help would be most appreciated.


Read the Admin Guide section on Using TLS.
http://www.openldap.org/doc/admin23/tls.html


Thanks,
Phil Bellino
============================
Phil Bellino
MRV Communications, Inc.
Boston Product Division
295 Foster St.
Littleton,MA 01460
Tel: (978)952-4807
Email: pbellino@mrv.com
============================

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  Chief Architect, OpenLDAP     http://www.openldap.org/project/

References:
- Slapd issue
  - From: "Philip Bellino" <pbellino@mrv.com>

Prev by Date: Re: Bind using credentials from another directory server
Next by Date: Re: Multi Master Enviornment for Openldap 2.3
Index(es):
- Chronological
- Thread